mirror of
https://github.com/XTLS/Xray-core.git
synced 2025-04-30 09:18:34 +00:00
Refactor Vision reader writer
- Vision now use traffic states to capture two-way info about a connection - XTLS is de-couple with Vision, it only read traffic states to switch to direct copy mode - fix a edge case error when Vision unpadding read 5 command bytes
This commit is contained in:
yuhan6665
parent
efd32b0fb2
commit
d6d225c698
5 changed files with 440 additions and 374 deletions
386
proxy/proxy.go
386
proxy/proxy.go
|
|
@ -6,10 +6,14 @@
|
|||
package proxy
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/rand"
|
||||
gotls "crypto/tls"
|
||||
"io"
|
||||
"math/big"
|
||||
"runtime"
|
||||
"strconv"
|
||||
|
||||
"github.com/pires/go-proxyproto"
|
||||
"github.com/xtls/xray-core/common/buf"
|
||||
|
|
@ -27,6 +31,30 @@ import (
|
|||
"github.com/xtls/xray-core/transport/internet/tls"
|
||||
)
|
||||
|
||||
var (
|
||||
Tls13SupportedVersions = []byte{0x00, 0x2b, 0x00, 0x02, 0x03, 0x04}
|
||||
TlsClientHandShakeStart = []byte{0x16, 0x03}
|
||||
TlsServerHandShakeStart = []byte{0x16, 0x03, 0x03}
|
||||
TlsApplicationDataStart = []byte{0x17, 0x03, 0x03}
|
||||
|
||||
Tls13CipherSuiteDic = map[uint16]string{
|
||||
0x1301: "TLS_AES_128_GCM_SHA256",
|
||||
0x1302: "TLS_AES_256_GCM_SHA384",
|
||||
0x1303: "TLS_CHACHA20_POLY1305_SHA256",
|
||||
0x1304: "TLS_AES_128_CCM_SHA256",
|
||||
0x1305: "TLS_AES_128_CCM_8_SHA256",
|
||||
}
|
||||
)
|
||||
|
||||
const (
|
||||
TlsHandshakeTypeClientHello byte = 0x01
|
||||
TlsHandshakeTypeServerHello byte = 0x02
|
||||
|
||||
CommandPaddingContinue byte = 0x00
|
||||
CommandPaddingEnd byte = 0x01
|
||||
CommandPaddingDirect byte = 0x02
|
||||
)
|
||||
|
||||
// An Inbound processes inbound connections.
|
||||
type Inbound interface {
|
||||
// Network returns a list of networks that this inbound supports. Connections with not-supported networks will not be passed into Process().
|
||||
|
|
@ -59,6 +87,364 @@ type GetOutbound interface {
|
|||
GetOutbound() Outbound
|
||||
}
|
||||
|
||||
// TrafficState is used to track uplink and downlink of one connection
|
||||
// It is used by XTLS to determine if switch to raw copy mode, It is used by Vision to calculate padding
|
||||
type TrafficState struct {
|
||||
UserUUID []byte
|
||||
NumberOfPacketToFilter int
|
||||
EnableXtls bool
|
||||
IsTLS12orAbove bool
|
||||
IsTLS bool
|
||||
Cipher uint16
|
||||
RemainingServerHello int32
|
||||
|
||||
// reader link state
|
||||
WithinPaddingBuffers bool
|
||||
ReaderSwitchToDirectCopy bool
|
||||
RemainingCommand int32
|
||||
RemainingContent int32
|
||||
RemainingPadding int32
|
||||
CurrentCommand int
|
||||
|
||||
// write link state
|
||||
IsPadding bool
|
||||
WriterSwitchToDirectCopy bool
|
||||
}
|
||||
|
||||
func NewTrafficState(userUUID []byte) *TrafficState {
|
||||
return &TrafficState{
|
||||
UserUUID: userUUID,
|
||||
NumberOfPacketToFilter: 8,
|
||||
EnableXtls: false,
|
||||
IsTLS12orAbove: false,
|
||||
IsTLS: false,
|
||||
Cipher: 0,
|
||||
RemainingServerHello: -1,
|
||||
WithinPaddingBuffers: true,
|
||||
ReaderSwitchToDirectCopy: false,
|
||||
RemainingCommand: -1,
|
||||
RemainingContent: -1,
|
||||
RemainingPadding: -1,
|
||||
CurrentCommand: 0,
|
||||
IsPadding: true,
|
||||
WriterSwitchToDirectCopy: false,
|
||||
}
|
||||
}
|
||||
|
||||
// VisionReader is used to read xtls vision protocol
|
||||
// Note Vision probably only make sense as the inner most layer of reader, since it need assess traffic state from origin proxy traffic
|
||||
type VisionReader struct {
|
||||
buf.Reader
|
||||
trafficState *TrafficState
|
||||
ctx context.Context
|
||||
}
|
||||
|
||||
func NewVisionReader(reader buf.Reader, state *TrafficState, context context.Context) *VisionReader {
|
||||
return &VisionReader{
|
||||
Reader: reader,
|
||||
trafficState: state,
|
||||
ctx: context,
|
||||
}
|
||||
}
|
||||
|
||||
func (w *VisionReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
|
||||
buffer, err := w.Reader.ReadMultiBuffer()
|
||||
if !buffer.IsEmpty() {
|
||||
if w.trafficState.WithinPaddingBuffers || w.trafficState.NumberOfPacketToFilter > 0 {
|
||||
mb2 := make(buf.MultiBuffer, 0, len(buffer))
|
||||
for _, b := range buffer {
|
||||
newbuffer := XtlsUnpadding(b, w.trafficState, w.ctx)
|
||||
if newbuffer.Len() > 0 {
|
||||
mb2 = append(mb2, newbuffer)
|
||||
}
|
||||
}
|
||||
buffer = mb2
|
||||
if w.trafficState.RemainingContent == 0 && w.trafficState.RemainingPadding == 0 {
|
||||
if w.trafficState.CurrentCommand == 1 {
|
||||
w.trafficState.WithinPaddingBuffers = false
|
||||
} else if w.trafficState.CurrentCommand == 2 {
|
||||
w.trafficState.WithinPaddingBuffers = false
|
||||
w.trafficState.ReaderSwitchToDirectCopy = true
|
||||
} else if w.trafficState.CurrentCommand == 0 {
|
||||
w.trafficState.WithinPaddingBuffers = true
|
||||
} else {
|
||||
newError("XtlsRead unknown command ", w.trafficState.CurrentCommand, buffer.Len()).WriteToLog(session.ExportIDToError(w.ctx))
|
||||
}
|
||||
} else if w.trafficState.RemainingContent > 0 || w.trafficState.RemainingPadding > 0 {
|
||||
w.trafficState.WithinPaddingBuffers = true
|
||||
} else {
|
||||
w.trafficState.WithinPaddingBuffers = false
|
||||
}
|
||||
}
|
||||
if w.trafficState.NumberOfPacketToFilter > 0 {
|
||||
XtlsFilterTls(buffer, w.trafficState, w.ctx)
|
||||
}
|
||||
}
|
||||
return buffer, err
|
||||
}
|
||||
|
||||
// VisionWriter is used to write xtls vision protocol
|
||||
// Note Vision probably only make sense as the inner most layer of writer, since it need assess traffic state from origin proxy traffic
|
||||
type VisionWriter struct {
|
||||
buf.Writer
|
||||
trafficState *TrafficState
|
||||
ctx context.Context
|
||||
writeOnceUserUUID []byte
|
||||
}
|
||||
|
||||
func NewVisionWriter(writer buf.Writer, state *TrafficState, context context.Context) *VisionWriter {
|
||||
w := make([]byte, len(state.UserUUID))
|
||||
copy(w, state.UserUUID)
|
||||
return &VisionWriter{
|
||||
Writer: writer,
|
||||
trafficState: state,
|
||||
ctx: context,
|
||||
writeOnceUserUUID: w,
|
||||
}
|
||||
}
|
||||
|
||||
func (w *VisionWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
|
||||
if w.trafficState.NumberOfPacketToFilter > 0 {
|
||||
XtlsFilterTls(mb, w.trafficState, w.ctx)
|
||||
}
|
||||
if w.trafficState.IsPadding {
|
||||
if len(mb) == 1 && mb[0] == nil {
|
||||
mb[0] = XtlsPadding(nil, CommandPaddingContinue, &w.writeOnceUserUUID, true, w.ctx) // we do a long padding to hide vless header
|
||||
return w.Writer.WriteMultiBuffer(mb)
|
||||
}
|
||||
mb = ReshapeMultiBuffer(w.ctx, mb)
|
||||
longPadding := w.trafficState.IsTLS
|
||||
for i, b := range mb {
|
||||
if w.trafficState.IsTLS && b.Len() >= 6 && bytes.Equal(TlsApplicationDataStart, b.BytesTo(3)) {
|
||||
if w.trafficState.EnableXtls {
|
||||
w.trafficState.WriterSwitchToDirectCopy = true
|
||||
}
|
||||
var command byte = CommandPaddingContinue
|
||||
if i == len(mb) - 1 {
|
||||
command = CommandPaddingEnd
|
||||
if w.trafficState.EnableXtls {
|
||||
command = CommandPaddingDirect
|
||||
}
|
||||
}
|
||||
mb[i] = XtlsPadding(b, command, &w.writeOnceUserUUID, true, w.ctx)
|
||||
w.trafficState.IsPadding = false // padding going to end
|
||||
longPadding = false
|
||||
continue
|
||||
} else if !w.trafficState.IsTLS12orAbove && w.trafficState.NumberOfPacketToFilter <= 1 { // For compatibility with earlier vision receiver, we finish padding 1 packet early
|
||||
w.trafficState.IsPadding = false
|
||||
mb[i] = XtlsPadding(b, CommandPaddingEnd, &w.writeOnceUserUUID, longPadding, w.ctx)
|
||||
break
|
||||
}
|
||||
var command byte = CommandPaddingContinue
|
||||
if i == len(mb) - 1 && !w.trafficState.IsPadding {
|
||||
command = CommandPaddingEnd
|
||||
if w.trafficState.EnableXtls {
|
||||
command = CommandPaddingDirect
|
||||
}
|
||||
}
|
||||
mb[i] = XtlsPadding(b, command, &w.writeOnceUserUUID, longPadding, w.ctx)
|
||||
}
|
||||
}
|
||||
return w.Writer.WriteMultiBuffer(mb)
|
||||
}
|
||||
|
||||
// ReshapeMultiBuffer prepare multi buffer for padding stucture (max 21 bytes)
|
||||
func ReshapeMultiBuffer(ctx context.Context, buffer buf.MultiBuffer) buf.MultiBuffer {
|
||||
needReshape := 0
|
||||
for _, b := range buffer {
|
||||
if b.Len() >= buf.Size-21 {
|
||||
needReshape += 1
|
||||
}
|
||||
}
|
||||
if needReshape == 0 {
|
||||
return buffer
|
||||
}
|
||||
mb2 := make(buf.MultiBuffer, 0, len(buffer)+needReshape)
|
||||
toPrint := ""
|
||||
for i, buffer1 := range buffer {
|
||||
if buffer1.Len() >= buf.Size-21 {
|
||||
index := int32(bytes.LastIndex(buffer1.Bytes(), TlsApplicationDataStart))
|
||||
if index <= 0 || index > buf.Size-21 {
|
||||
index = buf.Size / 2
|
||||
}
|
||||
buffer2 := buf.New()
|
||||
buffer2.Write(buffer1.BytesFrom(index))
|
||||
buffer1.Resize(0, index)
|
||||
mb2 = append(mb2, buffer1, buffer2)
|
||||
toPrint += " " + strconv.Itoa(int(buffer1.Len())) + " " + strconv.Itoa(int(buffer2.Len()))
|
||||
} else {
|
||||
mb2 = append(mb2, buffer1)
|
||||
toPrint += " " + strconv.Itoa(int(buffer1.Len()))
|
||||
}
|
||||
buffer[i] = nil
|
||||
}
|
||||
buffer = buffer[:0]
|
||||
newError("ReshapeMultiBuffer ", toPrint).WriteToLog(session.ExportIDToError(ctx))
|
||||
return mb2
|
||||
}
|
||||
|
||||
// XtlsPadding add padding to eliminate length siganature during tls handshake
|
||||
func XtlsPadding(b *buf.Buffer, command byte, userUUID *[]byte, longPadding bool, ctx context.Context) *buf.Buffer {
|
||||
var contentLen int32 = 0
|
||||
var paddingLen int32 = 0
|
||||
if b != nil {
|
||||
contentLen = b.Len()
|
||||
}
|
||||
if contentLen < 900 && longPadding {
|
||||
l, err := rand.Int(rand.Reader, big.NewInt(500))
|
||||
if err != nil {
|
||||
newError("failed to generate padding").Base(err).WriteToLog(session.ExportIDToError(ctx))
|
||||
}
|
||||
paddingLen = int32(l.Int64()) + 900 - contentLen
|
||||
} else {
|
||||
l, err := rand.Int(rand.Reader, big.NewInt(256))
|
||||
if err != nil {
|
||||
newError("failed to generate padding").Base(err).WriteToLog(session.ExportIDToError(ctx))
|
||||
}
|
||||
paddingLen = int32(l.Int64())
|
||||
}
|
||||
if paddingLen > buf.Size-21-contentLen {
|
||||
paddingLen = buf.Size - 21 - contentLen
|
||||
}
|
||||
newbuffer := buf.New()
|
||||
if userUUID != nil {
|
||||
newbuffer.Write(*userUUID)
|
||||
*userUUID = nil
|
||||
}
|
||||
newbuffer.Write([]byte{command, byte(contentLen >> 8), byte(contentLen), byte(paddingLen >> 8), byte(paddingLen)})
|
||||
if b != nil {
|
||||
newbuffer.Write(b.Bytes())
|
||||
b.Release()
|
||||
b = nil
|
||||
}
|
||||
newbuffer.Extend(paddingLen)
|
||||
newError("XtlsPadding ", contentLen, " ", paddingLen, " ", command).WriteToLog(session.ExportIDToError(ctx))
|
||||
return newbuffer
|
||||
}
|
||||
|
||||
// XtlsUnpadding remove padding and parse command
|
||||
func XtlsUnpadding(b *buf.Buffer, s *TrafficState, ctx context.Context) *buf.Buffer {
|
||||
if s.RemainingCommand == -1 && s.RemainingContent == -1 && s.RemainingPadding == -1 { // inital state
|
||||
if b.Len() >= 21 && bytes.Equal(s.UserUUID, b.BytesTo(16)) {
|
||||
b.Advance(16)
|
||||
s.RemainingCommand = 5
|
||||
} else {
|
||||
return b
|
||||
}
|
||||
}
|
||||
newbuffer := buf.New()
|
||||
for b.Len() > 0 {
|
||||
if s.RemainingCommand > 0 {
|
||||
data, err := b.ReadByte()
|
||||
if err != nil {
|
||||
return newbuffer
|
||||
}
|
||||
switch s.RemainingCommand {
|
||||
case 5:
|
||||
s.CurrentCommand = int(data)
|
||||
case 4:
|
||||
s.RemainingContent = int32(data)<<8
|
||||
case 3:
|
||||
s.RemainingContent = s.RemainingContent | int32(data)
|
||||
case 2:
|
||||
s.RemainingPadding = int32(data)<<8
|
||||
case 1:
|
||||
s.RemainingPadding = s.RemainingPadding | int32(data)
|
||||
newError("Xtls Unpadding new block, content ", s.RemainingContent, " padding ", s.RemainingPadding, " command ", s.CurrentCommand).WriteToLog(session.ExportIDToError(ctx))
|
||||
}
|
||||
s.RemainingCommand--
|
||||
} else if s.RemainingContent > 0 {
|
||||
len := s.RemainingContent
|
||||
if b.Len() < len {
|
||||
len = b.Len()
|
||||
}
|
||||
data, err := b.ReadBytes(len)
|
||||
if err != nil {
|
||||
return newbuffer
|
||||
}
|
||||
newbuffer.Write(data)
|
||||
s.RemainingContent -= len
|
||||
} else { // remainingPadding > 0
|
||||
len := s.RemainingPadding
|
||||
if b.Len() < len {
|
||||
len = b.Len()
|
||||
}
|
||||
b.Advance(len)
|
||||
s.RemainingPadding -= len
|
||||
}
|
||||
if s.RemainingCommand <= 0 && s.RemainingContent <= 0 && s.RemainingPadding <= 0 { // this block done
|
||||
if s.CurrentCommand == 0 {
|
||||
s.RemainingCommand = 5
|
||||
} else {
|
||||
s.RemainingCommand = -1 // set to initial state
|
||||
s.RemainingContent = -1
|
||||
s.RemainingPadding = -1
|
||||
if b.Len() > 0 { // shouldn't happen
|
||||
newbuffer.Write(b.Bytes())
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
b.Release()
|
||||
b = nil
|
||||
return newbuffer
|
||||
}
|
||||
|
||||
// XtlsFilterTls filter and recognize tls 1.3 and other info
|
||||
func XtlsFilterTls(buffer buf.MultiBuffer, trafficState *TrafficState, ctx context.Context) {
|
||||
for _, b := range buffer {
|
||||
if b == nil {
|
||||
continue
|
||||
}
|
||||
trafficState.NumberOfPacketToFilter--
|
||||
if b.Len() >= 6 {
|
||||
startsBytes := b.BytesTo(6)
|
||||
if bytes.Equal(TlsServerHandShakeStart, startsBytes[:3]) && startsBytes[5] == TlsHandshakeTypeServerHello {
|
||||
trafficState.RemainingServerHello = (int32(startsBytes[3])<<8 | int32(startsBytes[4])) + 5
|
||||
trafficState.IsTLS12orAbove = true
|
||||
trafficState.IsTLS = true
|
||||
if b.Len() >= 79 && trafficState.RemainingServerHello >= 79 {
|
||||
sessionIdLen := int32(b.Byte(43))
|
||||
cipherSuite := b.BytesRange(43+sessionIdLen+1, 43+sessionIdLen+3)
|
||||
trafficState.Cipher = uint16(cipherSuite[0])<<8 | uint16(cipherSuite[1])
|
||||
} else {
|
||||
newError("XtlsFilterTls short server hello, tls 1.2 or older? ", b.Len(), " ", trafficState.RemainingServerHello).WriteToLog(session.ExportIDToError(ctx))
|
||||
}
|
||||
} else if bytes.Equal(TlsClientHandShakeStart, startsBytes[:2]) && startsBytes[5] == TlsHandshakeTypeClientHello {
|
||||
trafficState.IsTLS = true
|
||||
newError("XtlsFilterTls found tls client hello! ", buffer.Len()).WriteToLog(session.ExportIDToError(ctx))
|
||||
}
|
||||
}
|
||||
if trafficState.RemainingServerHello > 0 {
|
||||
end := trafficState.RemainingServerHello
|
||||
if end > b.Len() {
|
||||
end = b.Len()
|
||||
}
|
||||
trafficState.RemainingServerHello -= b.Len()
|
||||
if bytes.Contains(b.BytesTo(end), Tls13SupportedVersions) {
|
||||
v, ok := Tls13CipherSuiteDic[trafficState.Cipher]
|
||||
if !ok {
|
||||
v = "Old cipher: " + strconv.FormatUint(uint64(trafficState.Cipher), 16)
|
||||
} else if v != "TLS_AES_128_CCM_8_SHA256" {
|
||||
trafficState.EnableXtls = true
|
||||
}
|
||||
newError("XtlsFilterTls found tls 1.3! ", b.Len(), " ", v).WriteToLog(session.ExportIDToError(ctx))
|
||||
trafficState.NumberOfPacketToFilter = 0
|
||||
return
|
||||
} else if trafficState.RemainingServerHello <= 0 {
|
||||
newError("XtlsFilterTls found tls 1.2! ", b.Len()).WriteToLog(session.ExportIDToError(ctx))
|
||||
trafficState.NumberOfPacketToFilter = 0
|
||||
return
|
||||
}
|
||||
newError("XtlsFilterTls inconclusive server hello ", b.Len(), " ", trafficState.RemainingServerHello).WriteToLog(session.ExportIDToError(ctx))
|
||||
}
|
||||
if trafficState.NumberOfPacketToFilter <= 0 {
|
||||
newError("XtlsFilterTls stop filtering", buffer.Len()).WriteToLog(session.ExportIDToError(ctx))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// UnwrapRawConn support unwrap stats, tls, utls, reality and proxyproto conn and get raw tcp conn from it
|
||||
func UnwrapRawConn(conn net.Conn) (net.Conn, stats.Counter, stats.Counter) {
|
||||
var readCounter, writerCounter stats.Counter
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue